Debian Bug report logs -
#776026
wheel: please make whl files reproducible
Reported by: Reiner Herrmann <reiner@reiner-h.de>
Date: Thu, 22 Jan 2015 22:09:01 UTC
Severity: wishlist
Tags: patch
Found in version wheel/0.24.0-1
Fixed in version wheel/0.24.0-2
Done: Barry Warsaw <barry@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, reproducible-builds@lists.alioth.debian.org, Barry Warsaw <barry@debian.org>:
Bug#776026; Package src:wheel.
(Thu, 22 Jan 2015 22:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Reiner Herrmann <reiner@reiner-h.de>:
New Bug report received and forwarded. Copy sent to reproducible-builds@lists.alioth.debian.org, Barry Warsaw <barry@debian.org>.
(Thu, 22 Jan 2015 22:09:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: wheel
Version: 0.24.0-1
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: toolchain timestamps randomness
Hi!
While working on Debian's “reproducible builds” effort [1], we have noticed
that wheel files (.whl) cannot be build reproducibly.
The data inside metadata.json is unsorted and varies with each build.
And the zip archive timestamps also depend on the build time of packages.
The attached patch fixes this by sorting the JSON file, and by using fixed
timestamps for each file in the archive.
Regards,
Reiner
[1]: https://wiki.debian.org/ReproducibleBuilds
[wheel_reproducible.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Barry Warsaw <barry@debian.org>:
Bug#776026; Package src:wheel.
(Sun, 25 Jan 2015 15:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Reiner Herrmann <reiner@reiner-h.de>:
Extra info received and forwarded to list. Copy sent to Barry Warsaw <barry@debian.org>.
(Sun, 25 Jan 2015 15:45:05 GMT) (full text, mbox, link).
Message #10 received at 776026@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Another small issue was found, which is fixed by the attached patch.
Please use this one instead of the previously submitted.
Regards,
Reiner
[wheel_reproducible.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#776026; Package src:wheel.
(Mon, 08 Jun 2015 23:51:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Barry Warsaw <barry@debian.org>:
Extra info received and forwarded to list.
Your message did not contain a Subject field. They are recommended and
useful because the title of a Bug is determined using this field.
Please remember to include a Subject field in your messages in future.
(Mon, 08 Jun 2015 23:51:10 GMT) (full text, mbox, link).
Message #15 received at 776026@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
The only part of the patch I don't like is the hard-coding of the timestamp.
I don't have a better idea, but before I apply this I'm going to see if
upstream has any suggestions. I'll include in that bug report the other two
fixes which look good.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#776026; Package src:wheel.
(Tue, 09 Jun 2015 19:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Barry Warsaw <barry@debian.org>:
Extra info received and forwarded to list.
Your message did not contain a Subject field. They are recommended and
useful because the title of a Bug is determined using this field.
Please remember to include a Subject field in your messages in future.
(Tue, 09 Jun 2015 19:39:03 GMT) (full text, mbox, link).
Message #20 received at 776026@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Upstream issue:
https://bitbucket.org/pypa/wheel/issue/143/reproducible-whl-files
My PR:
https://bitbucket.org/pypa/wheel/pull-request/52/apply-the-debian-patch-for-reproducible/diff
For the timestamp, I added support for $WHEEL_FORCE_TIMESTAMP envar, so after
this lands, we could change the build process for the package to
export WHEEL_FORCE_TIMESTAMP=315576060
The other changes in the patch I applied directly. Well, except I had to do
more work to make sorting of the items not fail.
[Message part 2 (application/pgp-signature, inline)]
Added tag(s) pending.
Request was from barry@users.alioth.debian.org
to control@bugs.debian.org.
(Fri, 12 Jun 2015 15:09:03 GMT) (full text, mbox, link).
Reply sent
to Barry Warsaw <barry@debian.org>:
You have taken responsibility.
(Fri, 12 Jun 2015 18:36:04 GMT) (full text, mbox, link).
Notification sent
to Reiner Herrmann <reiner@reiner-h.de>:
Bug acknowledged by developer.
(Fri, 12 Jun 2015 18:36:05 GMT) (full text, mbox, link).
Message #27 received at 776026-close@bugs.debian.org (full text, mbox, reply):
Source: wheel
Source-Version: 0.24.0-2
We believe that the bug you reported is fixed in the latest version of
wheel, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 776026@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Barry Warsaw <barry@debian.org> (supplier of updated wheel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 12 Jun 2015 14:14:29 -0400
Source: wheel
Binary: python-wheel python3-wheel python-wheel-common
Architecture: source all
Version: 0.24.0-2
Distribution: unstable
Urgency: medium
Maintainer: Barry Warsaw <barry@debian.org>
Changed-By: Barry Warsaw <barry@debian.org>
Description:
python-wheel - built-package format for Python
python-wheel-common - built-package format for Python
python3-wheel - built-package format for Python
Closes: 776026 782405
Changes:
wheel (0.24.0-2) unstable; urgency=medium
.
* d/control:
- Bump Standards-Version with no other changes necessary.
- Add XS-Testsuite header for DEP-8 tests.
* d/rules:
- Add commented out DH_VERBOSE setting.
- Override the manpage date for reproducible builds. (Closes: #782405)
* d/patch/reproducible-whls.diff: Add based on initial contribution
from Reiner Herrmann, with further refinements by Barry Warsaw based
on upstream pull request review. (Closes: #776026)
* d/watch: Use the pypi.debian.net redirector.
* d/tests: Add smoke and reproducible .whl file DEP-8 tests.
Checksums-Sha1:
4396191626137bb3ce16ec324e7888a8e1212821 2210 wheel_0.24.0-2.dsc
83da9230302b74c313026033dc73109836732c99 10524 wheel_0.24.0-2.debian.tar.xz
509455619077b873ed93ae208b17d96589bc9c79 8288 python-wheel-common_0.24.0-2_all.deb
0eafa55c9907e49c9fe79b82478d37f1043a6e91 48430 python-wheel_0.24.0-2_all.deb
a8568996116f2564c8727163d7555607236aa8f1 48498 python3-wheel_0.24.0-2_all.deb
Checksums-Sha256:
5114568de83820865711098540395b7a19901d069ea690071fb71adb0fbe8249 2210 wheel_0.24.0-2.dsc
5deb5bc17fbae449464f4999fe93f21bbd2faf8b69695c45b55b957173c37599 10524 wheel_0.24.0-2.debian.tar.xz
35a5c55bb2858c3296361579b23c5c0d12018f2f2568b919f5eb8be46eec2af2 8288 python-wheel-common_0.24.0-2_all.deb
2eccd269fcac5fdd2a5a1b3ebfd09c3d7d408c88081a807f96f1eb7c90c9698e 48430 python-wheel_0.24.0-2_all.deb
f8b30186b9133f18898f006fe3c016b0dbdfeae4d2240ff343e92d7d51f88ea3 48498 python3-wheel_0.24.0-2_all.deb
Files:
1d02e83f5323ba472940990fbd533110 2210 python optional wheel_0.24.0-2.dsc
96378b318251060ae444d6133edb96f1 10524 python optional wheel_0.24.0-2.debian.tar.xz
75f26ce45261b49377a02871c7371b90 8288 python optional python-wheel-common_0.24.0-2_all.deb
e348d6c512ae986730503e4f81fd6697 48430 python optional python-wheel_0.24.0-2_all.deb
8ae0564e33ba9b794930b06251867e16 48498 python optional python3-wheel_0.24.0-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVeyJ7AAoJEBJutWOnSwa/eNcP/1vAUTueWfvsa+VvRIaeUUc+
cYSxTyxao2mrw//+m+NmovVCVhrPDIbIiFopRv3ZpMmpy3PRU4WRgXscoAn+EfIM
pecJ8BCOBsm5tK7eKrxygVUPyQCLLQUEv5BBExLt+V12C2CznCXYpMFiMkUb8iFS
bkl0BlSjOBNhmzCaaLXo8tdmz2JOImfxnH/AU/hJajfN7rkDFX9HG5EMixm3UiL3
V7/gNY2JLcKIsGFveAKWbH/+m0mWtwEQOyVOx0neLADpsx96jtFSMOQan5fThJxF
hQMFadEAQbv2JFdIJTazBN/AdYQP7hy1suktHEYfesroacabWmrsDzJa9eabfeXS
Iq3bnk6UVloHQhPImlbNTVMug/FgL70WqMUZq2PY+RVqt72XytsSUl+kkHpEilKX
dygxe3j+kcHO0RqHZEGtEr6UEaYpaoHvddjSsrQe4ghG9NC5xmxCaOAmLQ4D6ivQ
GMWHfesZ71AU+qVY9MjzgaaN1Y0Y4H2fkcFxxreYNDw2/cR0MuC3a8GC4EuDi4p0
jEKif26uSxXdY3ZcOwBe/Q1w8JZX7Wh74kb0eDCCEqM+/1CqFqeUdXAHoyJmsWRs
C+yyaB820sdgn2L231MNJre4C1ktk9ItP9lbkhQanVa5Lax8QVXbx6Gz5Q+IxFj7
5CBp0m1/EJCyGTyEPW+6
=4PEi
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 28 Jul 2015 07:28:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jan 4 08:29:54 2018;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.